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What is Vulnerability Management? 



"The on-going approach to the collection and analyses of information 
regarding vulnerabilities, exploits and possible inappropriate 
communications in identifying the level of IT risk the ATO may be 
facing at any one instant in time. " 
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VMR Roles and Responsibilities 



Security Testing - Penetration Testing & Security Assessments 

Incident Response 

Threat Intelligence 

Innovation 

Provision of Advice 

Technology compliance 

and then some! 

"Vulnerability Centric - Evidence based" 
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Organisational Chart 
Vulnerability Management & Research (VMR) 
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Vulnerability Management and Research -Anatomy of VMR 
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What is a Penetration Tester? 

An Out-of-the-box thinker 

One who bends computers to their will 

What's with the hats? 

Black = Cracker, script kiddie 

r^S White = Ethical Hacker / Corporate Hacker 



Grey = Full disclosure and Hactivist 



Vulnerability Management and Research 



What is a Penetration Test? 



"A program of systematic testing that identifies weaknesses 
inherent in IT systems. System owners and Security 
administrators use the results of the testing to improve the 
security posture of the application/system and therefore 
improve the overall ATO IT environment." 
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How is a Penetration Test performed? 

VMR - Penetration Test Team coordinates along with the project 

manager 

Penetration Test reviewed by relevant stakeholders 

Once a Penetration test is finalised, it is approved by the Director - 

VMR, The AC Trusted Access and the system owner 

VMR conducts de-briefing sessions with the System Owners 

Flows into the compliance aspect 
Any residual risk is accepted by the System Owner 
Does not end there! 
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VMR's penetration testing is normally conducted in four 
phases: 



Test Phase 


Planning and 

Reconnaissance 

Phase 


Information Gathering. 

Setting up and setting expectations 


Probing Phase 


Vulnerability Identification 


Attack Phase 


Exploitation of identified vulnerabilities 
through penetration 
Optional - social engineering 
Optional - physical penetration 


Reporting 
Phase 


Detailed reporting on the activities, results and 
recommendations as a result of testing 
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Structure of a Pen Test : Incorporating DREAD model 






Consequence 


Consequence Description 




Insignificant 


No injuries, low financial loss 


Minor 


First aid treatment, on-site release immediately contained, medium financial 


Moderate 


Medical treatment required, on-site release contained with outside assistance, 
high financial loss 


CONSEQUENCE 


High 


Extensive injuries, loss of production capability, off-site release with no 
detrimental effects, major financial loss 






Very High 


Death, toxic release off-site with detrimental effect, huge financial loss 










Likelihood 


Likelihood Description 




Almost certain 


Is expected to occur in most circumstances 


Likely 


Will probably occur in most circumstances 


LIKELIHOOD 


Possible 


Might occur a. some time 






Unlikely 


Could occur at some time 


Rare 


May occur only in exceptional circumstances 
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Structure of a Pen Test : 



LEVEL OF RISK: 



Likelihood 


Consequences 


Insignificant 


Minor 


Moderate 


High 


Very High 


Almost certain 


H 


H 


E 


E 


E 


Likely 


M 


H 


H 
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E 


Possible 


L 


M 
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E 


Unlikely 


L 


L 
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E 


Rare 


L 


L 


M 


H 


H 



E: extreme risk; immediate action required 

H: high risk; senior management attention needed 

M: moderate risk; management responsibility must be specified 

L: low risk; manage by routine procedures 
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What is it good for? 

>Tests exposure of known security threats and vulnerabilities 

to both internal and external attack 

>Provides a snapshot in time of what security looks like. Sets 

a benchmark. 

> Assesses monitoring and escalation procedures 

>Provide advice, solutions and recommendations to enhance 

the ATO's security posture at both the enterprise and/or 

process level. 

Results enable VMR to provide early identification to project 

areas on common known vulnerabilities. 
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What are the benefits? (for the Client) 

> Improved information security knowledge and understanding 
around the real threats and vulnerabilities in ATO applications 
and processes. 

> Proactive identification of potential risk and provision of 
assistance in mitigating these risk immediately. 

> Assist in the decision making process i.e. Go Live! 

>ls not an assurance/compliance/audit activity - It can be 
part of and/or assurance derived from an interpretation of the 
results. 
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Summary and Take Aways 

> Start small and expand slowly 

>Apps or Network etc 
> Development and document your process - market it clearly 

>Get proper approval! 
> Recruit effectively - capable and qualified staff 

> Training is essential 
>Supporting Infrastructure - cost and maintenance 
>Embrace convergence and integration 
>lt is a feature for you but a BENEFIT for the Client. 
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